Implement zero-knowledge proofs
Opened this issue · 1 comments
nickboucher commented
Implement zero-knowledge proofs
swansonk14 commented
Based on the Shuffle-Sum paper, I think we need to do two types of zero-knowledge proofs:
- Proof of correct decryption
- Proof of correct shuffling
Luckily, the Damgard-Jurik cryptosystem has range proofs that can help with the first point: https://www.brics.dk/DS/03/9/BRICS-DS-03-9.pdf (Section 4.3.4).
The shuffling proofs might be more complex. One description is here: http://www0.cs.ucl.ac.uk/staff/J.Groth/MinimalShuffle.pdf. It's not specific to Damgard-Jurik crypto, but it seems to work for general homomorphic encryption schemes.
I'll keep looking into this to see how difficult it would be to implement these proofs.